Compliance Question of the Week 2019
My company’s loan originators (“LOs”) use social media to market themselves. What are some key controls I should put in place to monitor their activity?
Social media platforms (LinkedIn, Twitter, Facebook, websites, etc.) have become a popular way for LOs to market themselves and their services. These types of commercial communications will be considered advertising by regulators and violations of advertising requirements can be costly. It is, therefore, important that residential mortgage companies employing LOs monitor their activities throughout the internet to ensure compliance with federal and state advertising requirements. Some best practices for implementing a social media oversight program include, but are not limited to:
• Identifying, at the time of hire, where an LO may have a social media presence and performing a targeted audit for compliance purposes.
• Training LOs on the “do’s and don’ts” of social media and advertising.
• Maintaining social media business pages on behalf of LOs and restricting them from using personal social media pages for business purposes (this allows an LO to maintain a commercial internet presence while also helping to ensure company control and oversight).
• Requiring all content to be approved by the mortgage company’s compliance department prior to posting.
• Actively and frequently monitoring social media activity, which may include ongoing audits, automated trigger notifications, or implementing software that identifies possible violations for the compliance department to review.
• Documenting findings and corrective action, such as assigning additional training to LOs that are in violation of the company policy.
• Performing a social media search at the time of de-boarding a departing LO to ensure the LO updates all social media pages removing any affiliation with the company. If an LO does not update his/her social media presence in a timely manner, a mortgage company should document its attempts to have the LO make the requested changes.
What are Fannie Mae’s internal audit requirements?
As noted in Fannie Mae’s Selling Guide A1-1-01: Application and Approval of Lender, Fannie Mae requires lenders to have “internal audit and management controls to evaluate and monitor the overall quality of its loan production and/or servicing.”
As outlined in Fannie Mae’s Beyond the Guide, “an appropriate internal audit program should at a minimum include the following key elements:
• An independent reporting structure with direct report to senior management and/or the board of directors. There should be no shared reporting lines within the QC functional areas to be reviewed by the internal audit function.
• A risk assessment methodology used to identify the operational areas and functions to be audited and the frequency of those audits. The risk assessment is generally completed annually by the internal audit department to identify the scope of the review and apply risk rating to the areas to be reviewed. The risk assessment generally identifies the frequency of reviews based on the risk rating applied to the areas listed.
• Documented policies and procedures to detail the internal audit review processes, govern reporting to senior management, and address the remediation of findings.
• A departmental and functional audit schedule for a minimum 12-month period. The schedule should identify the areas subject to review during the current period and align with the risk assessment.”
While not explicit in the Selling Guide in terms of the number and frequency of audits in a calendar year, Fannie Mae leaves it to its Seller/Servicers to determine those items; however, the number of audits and frequency should be commensurate with the size and complexity of the organization. A single audit does not meet the minimum requirements as evidenced in recent MORA examination results requiring a Seller/Servicer to submit the two most recent internal audit reports, minimum 12-month audit schedule, and most recent risk assessment.
As a Mortgagee, am I required to notify FHA if my company’s net worth decreases or I experience operating losses?
Yes, in some instances. HUD Handbook 4000.1, sections I.A.7(g) and (h) outline the requirements when the Mortgagee must notify FHA. In general, the Mortgagee has an ongoing requirement to notify FHA of any changes to the information outlined in its application for FHA approval or in FHA’s eligibility requirements.
Section I.A.7(g) Liquid Assets or Net Worth Deficiency: If at any time a Mortgagee’s adjusted net worth or liquidity falls below the required minimum, the Mortgagee must submit a Notice of Material Event to FHA within 30 business days of the deficiency. The Mortgagee must submit a Corrective Action Plan that outlines the steps taken to mitigate the deficiency and includes relevant information, such as contributions and efforts made to obtain additional capital.
Section I.A.7(h) Operating Loss: If a Mortgagee experiences an operating loss of 20 percent or greater of its adjusted net worth, the Mortgagee must submit a Notice of Material Event to FHA within 30 business days of the loss. The 20 percent threshold applies to losses in any quarter during the fiscal year or losses that exceed 20 percent on the financial statements submitted at recertification. Following the initial notification, the Mortgagee must submit financial statements every quarter until it shows an operating profit for two consecutive quarters, or until it submits its financial reports as part of its recertification.
Did the U.S. Department of Housing and Urban Development (“HUD”) recently issue guidance on the use of Third Party Verification Services?
Yes, on February 15, 2019, HUD published Mortgagee Letter 2019-01, which specifically authorized the use of Third Party Verification (“TPV”) services to verify a borrower’s employment, income and asset information. The Mortgagee Letter explained that “TPV provides an alternative means for verifying a Borrower’s employment, income, and assets [and eliminates] the requirement for a Mortgagee to collect paystubs, W–2s, and bank statements.” HUD explained this revision is meant to align HUD policy with industry practice.
The revised HUD Handbook 4000.1 (the “Handbook”), issued March 27, 2019, indicates a Mortgagee may use contract support for administrative, human resources, and clerical functions including TPV. The Handbook further explains that TPV refers to a process through which a Borrower’s employment, income, and asset information is verified directly by the Mortgagee with a Borrower’s employer or financial institution, through the services of a third-party vendor.
The Mortgagee must still obtain the Borrower’s authorization to verify the information needed to process the mortgage application as more fully set forth in the Handbook.
Is it a conflict of interest for my company’s Quality Control (QC) Manager to also be in charge of Post–Closing? Post–Closing is not a production role but it does fall under Operations and I want to make sure my organization stays compliant with regulators and investors.
If the Quality Control (QC) Manager is not part of the loan production staff or part of the loan administrative process there should be no issue. That said, if the Quality Control (QC) Manager is involved in endorsing, insuring or servicing FHA loans then that individual is not permitted to be involved in the QC process as set forth in the HUD Handbook 4000.1. “The Mortgagee must ensure that employees who perform QC Program functions are, at all times, independent of all Loan Administration processes and do not directly participate in any of the Loan Administration processes represented in the QC Plan. The Mortgagee must ensure QC employees are not within any chain of reporting or management that is directly connected to Loan Administration staff” (pg. 912).
The HUD definition of Loan Administration refers to all aspects of the FHA mortgage lifecycle, including origination, underwriting, closing, endorsement, and servicing of FHA-insured Mortgages that are governed by FHA policies and procedures (pg. 910).
Did the U.S. Department of Housing and Urban Development (“HUD”) recently issue guidance on the use of Third Party Verification Services?
Yes, on February 15, 2019, HUD published Mortgagee Letter 2019-01, which specifically authorized the use of Third Party Verification (“TPV”) services to verify a borrower’s employment, income and asset information. The Mortgagee Letter explained that “TPV provides an alternative means for verifying a Borrower’s employment, income, and assets [and eliminates] the requirement for a Mortgagee to collect paystubs, W-2s, and bank statements.” HUD explained this revision is meant to align HUD policy with industry practice. The revised HUD Handbook 4000.1(the “Handbook”), issued March 27, 2019, indicates a Mortgagee may use contract support for administrative, human resources, and clerical functions including TPV. The Handbook further explains that TPV refers to a process through which a Borrower’s employment, income, and asset information is verified directly by the Mortgagee with a Borrower’s employer or financial institution, through the services of a third-party vendor. The Mortgagee must still obtain the Borrower’s authorization to verify the information needed to process the mortgage application as more fully set forth in the Handbook.
Did the U.S. Department of Housing and Urban Development (“HUD”) recently clarify its requirements in relation to documenting the transfer of gift funds?
Yes, as part of the revised HUD Handbook 4000.1 (the “Handbook”), issued March 27, 2019, HUD clarified its requirements for verifying and documenting the transfer of gifts from a donor to a Borrower. Specifically, the Handbook now indicates in relevant part:
- If the gift funds have been verified in the Borrower’s account, obtain the donor’s bank statement showing the withdrawal and evidence of the deposit into the Borrower’s account.
- If the gift funds are not verified in the Borrower’s account, obtain the certified check, money order, cashier’s check, wire transfer, or other official check evidencing payment to the Borrower or settlement agent, and the donor’s bank statement evidencing sufficient funds for the amount of the gift (pg. 230).
Regardless of when gift funds are made available to a Borrower or settlement agent, the mortgagee must be able to make a reasonable determination that the gift funds were not provided by an unacceptable source. Italicized language above indicates revisions made to the Handbook.
What requirements do residential mortgage lenders have in regard to notifying their Board of Directors (the “Board”) and/or Executive Management of suspicious activity report (“SAR”) filings?
A compliant and effective AML Program includes, among other components, active involvement and oversight by a mortgage lender’s Board and/or Executive Management. Active involvement and oversight requires obtaining sufficient information on SAR investigations and filings so that the Board – or a Board’s equivalent, such as an Executive Management Committee – is able to fulfill its fiduciary duties to the company. Several federal agencies have issued guidance regarding notification requirements for Board members. This guidance may be useful for mortgage lenders in determining how and what to communicate to Board and/or Executive Management members with regard to SAR filings. Specifically, the Federal Financial Institutions Examination Council’s (“FFIEC”) Bank Secrecy Act / Anti-Money Laundering Examination Manual includes a Suspicious Activity Reporting – Overview section, which indicates in relevant part: “Banks are required by the SAR regulations of their federal banking agency to notify the board of directors or an appropriate board committee that SARs have been filed. However, the regulations do not mandate a particular notification format and banks should have flexibility in structuring their format. Therefore, banks may, but are not required to, provide actual copies of SARs to the board of directors or a board committee. Alternatively, banks may opt to provide summaries, tables of SARs filed for specific violation types, or other forms of notification. Regardless of the notification format used by the bank, management should provide sufficient information on its SAR filings to the board of directors or an appropriate committee in order to fulfill its fiduciary duties, while being mindful of the confidential nature of the SAR.” Additionally, Section 8.1-46 of the Federal Deposit Insurance Corporation’s (“FDIC”) Risk Management Manual Examination Policies explains in relevant part: “Section 353.3 of the FDIC’s Rules and Regulations requires the financial institution’s board of directors, or designated committee, be promptly notified of any SAR filed…
- Customer’s name and any additional suspects;
- Social Security Number or TIN;
- Account number (if a customer);
- The date range of suspicious activity;
- The dollar amount of suspicious activity;
- Very brief synopsis of reported activity (for example, “cash deposit structuring” or “wire transfer activity inconsistent with business/occupation”); and
- Indication of whether it is a first-time filing or repeat filing on the customer/suspects.
Such a tracking report promotes efficiency in review of multiple SAR filings. Nevertheless, there are still some SARs that the board of directors, or designated committee thereof, should review individually…. Financial institutions are encouraged to develop their own parameters for defining ‘significant SARs’ necessitating full reviews; such guidance needs to be written and formalized within board approved BSA policies and procedures.”
When does transitional licensing go into effect and how will it work?
Pursuant to Section 2155 of the federal Economic Growth, Regulatory Relief, and Consumer Protection Act, MLO transitional licensing authority goes into effect on November 24, 2019. Under the law, the following individuals may be granted temporary authority to act as a mortgage loan originator (“MLO”) while completing state-specific requirements for licensure, such as education or testing:
- qualified MLOs who are changing employment from a depository institution to a state-licensed mortgage company; and
- qualified state-licensed MLOs seeking licensure in another state.
NMLS published FAQs entitled, “Temporary Authority to Operate (Temporary Authority) for Mortgage Loan Originators“. Importantly, the FAQs explain that a MLO will not have to submit a separate application for temporary authority. Rather, an MLO applies for a MLO license through NMLS and, if eligible, will automatically receive temporary authority as the applicable state processes the license application. NMLS will be programmed to check certain eligibility requirements, such as criminal history and whether an applicant has had an MLO license application denied, revoked, or suspended. Before a licensing decision is made by the applicable state, an individual with temporary authority will show as being “authorized to conduct business” in the state – the actual license status will not be updated until the state makes a decision with regard to the license application. An individual with temporary authority may originate loans as if he/she possesses a license in that state. The individual and the loans originated by that individual will be subject to the same rules and regulations as applicable to a licensed MLO. IMPORTANT component though, mortgage lenders must monitor the status of an individual’s license application and temporary authority to act as a MLO. If the MLO’s application is ultimately denied, the mortgage lender must reassign any active loans in the pipeline originated by that MLO to a licensed MLO in that state. Further, if a mortgage lender knew of or should have known of a disqualifying event that would cause a license application to be denied, the mortgage lender could face enforcement action by the state for failing to disclose such event. For this reason, it is important to perform background checks and other due diligence on MLOs prior to sponsoring license applications. Refer to AGMB’s prior Compliance Question of the Week: “Is it true there is a new law that permits transitional licensing authority for mortgage loan originators (MLO)?” for detail regarding eligibility requirements and additional information on temporary authority.
Should I maintain a visitor log at my front entrance?
Yes, visitors pose a risk to privacy and security. All companies, especially those in the financial industry who handle consumer non-public and confidential information (NPPI/PII), should maintain a visitor log at each office entrance in order to audit visitors and ensure only authorized individuals are permitted to access the facilities. At a minimum, a visitor log should include the date, time in, visitor’s name, person being visited, reason for the visit, and time out. The employee permitting the visitor should verify the visitor’s identity by reviewing the visitor’s government-issued photo ID to ensure they are who they say they are. A visitor log will also serve as a vital reference tool in the event of unforeseen events (i.e. theft, active shooter situations, or incident breaches) and in an emergency evacuation as it will help accurately account for individuals present within the facility. Mortgage lenders should review branch office visitor logs as part of their branch office oversight procedures to ensure they are being maintained appropriately.
If my third-party provider (“vendor”) has access to consumer personally identifiable information, should provisions addressing the protection of such information be included in the Contractual Agreement with the vendor?
Yes, written agreements with third-party providers should address potential risks associated with data breaches — particularly when the vendor has access to consumer personally identifiable information. The vendor contract is a vital element of the vendor due diligence process and relationship. The contract should capture the nature of the relationship and set forth the contractual rights, obligations and duties of each party. This includes confidentiality requirements, responsibilities in the event of a breach, and liability provisions. Since written contracts are a critical component of a sound vendor management program, regulators may review them with a degree of scrutiny. Failure to maintain sufficient protections within vendor contracts and address risks appropriately may result in unsatisfactory results during a regulatory review or examination. Additionally, insufficient contract protections could expose a company to added civil liability in the event of a breach.
Why is it important to have an adequate compliance training program?
It is important for a residential mortgage lender to develop and implement a written compliance training program to provide employees with the tools needed to succeed given the various rules and regulations that apply and because of the constant regulatory changes. Regardless of a residential mortgage lender’s size, a well-developed compliance training program is a critical component to an effective compliance management system (“CMS”). As part of a thorough CMS, a robust training program helps a company and its employees keep up-to-date on regulatory changes that may impact the business, make correct decisions, manage risks, and avoid costly errors or other legal and/or compliance missteps. A residential mortgage lender’s compliance training program should be current, effective, and commensurate with the entity’s size and risk profile. Oftentimes, this requires training courses to be specifically tailored to reflect how a company operates. It is important that all employees be familiar and in full compliance with a company’s policies and procedures, as well as federal and state consumer protection laws. Employees should also receive comprehensive training based upon their job functions and responsibilities. Per the Consumer Financial Protection Bureau’s Summer 2013 Supervisory Highlights edition (http://files.consumerfinance.gov/f/201308_cfpb_supervisory-highlights_august.pdf), mortgage lenders must provide ongoing training to Board members management and staff. Further, certain federal and state rules and regulations require training on specific subject matters at least annually. For example, mortgage lenders must provide anti-money laundering and privacy/security awareness training at least annually. It is recommended that all training (whether informal or formal) be tracked and memorialized so that a mortgage lender can demonstrate to its regulators that employees are properly completing courses. Further, requiring a test component helps ensure employees are sufficiently grasping the material presented. It is important to note that no two compliance training programs will be identical. Your company’s size, organizational structure, and geographical reach may dictate the structure of your program.
I’m applying for Fannie Mae approval but am unsure of the difference between a Quality Control Audit (QC) and Internal Audit. What exactly is the difference?
A mortgage lender is required, for a variety of reasons, to implement a QC program that identifies credit and/or regulatory issues in its origination and servicing functions, as applicable. A QC audit looks at the end product, regardless of whether the process is credit or compliance focused. Generally, QC audits, which are forms of transactional testing, are narrower in scope than Internal Audits. Internal Audits review for and identify a variety of items such as credit, regulatory, operational, financial, and reputational risks. An Internal Auditor looks at the process itself and independently evaluates the risks and control activities within the process. To this end, an Internal Auditor will perform a number of tasks, such as review policies, procedures, and reports, conduct management interviews with the respective business units to gather information on the process evaluated, document evidence of the process through walkthroughs, and perform transactional testing, as needed. The focus is not necessarily on the end product as is the case with a QC audit, but rather the focus is on the adequacy, soundness, and effectiveness of internal controls within a process to ensure that the mortgage lender attains the end result sought while complying with Agency and investor guidelines, laws and regulations and industry best practices.
When will it be mandatory to use the new Uniform Residential Loan Application (URLA) and what are some of the changes?
Originations commencing July 1, 2019 may use the redesigned URLA and all new loan applications commencing February 1, 2020 must use the new URLA. Given that the new URLA was designed to make it easier for lenders to acquire data required by HMDA, it is expected that lenders will require use of the new URLA before the mandatory implementation date in February 2020. The application has more than doubled in size. The length of the new URLA will vary depending on the number of borrowers, type of loan and type of the transaction (sections are added or deleted based on loan scenarios). The look and feel of the redesigned URLA is similar to the Loan Estimate and Closing Disclosure and contains what is considered more easily understood language and clearer instructions. The GSEs also created a Spanish version of the new URLA form. However, a completed English URLA must be signed by all applicants. A few highlights of the new URLA are as follows:
- New fields have been added based on new federal regulations. For example, there are correct fields for the new demographic information required by HMDA since January of 2018 thereby retiring the Demographic Information Addendum currently utilized.
- Obsolete fields have been eliminated. For example, the applicant is no longer required to list the make and model of their automobile.
- There is defined separation of individual borrower applications.
- The information a borrower must provide, acknowledge and agree to has been separated from the information the broker/lender collects and verifies in connection with the processing and underwriting of the loan.
The redesigned URLA, as well as some FAQs and hints, can be found on the Fannie Mae website here: https://www.fanniemae.com/singlefamily/uniform-residential-loan-application The new URLA is a complete reinvention of the origination of a loan. Brokers and lenders will need to start collecting much more information, which was not previously collected. It is advisable to review the new URLA and start planning how you will collect that data once required.